Researchers Investigating Stuxnet and Duqu Variants

Malware Suxnet and its sibling Duqu may be just the first of many malicious code attack programs discovered, according to Kaspersky Lab researchers.

Previously known malware files uncovered by researchers studying Duqu and Stuxnet proved to be closely related and probably developed by the same team as simultaneous projects, the researchers concluded in a recent blog post. The known variants might be just the tip of the iceberg.

"They are part of a well-oiled machine, or factory," said Roel Schouwenberg, senior Kaspersky researcher. "We have gone from calling them siblings to the realization that there is an underlying platform being used."

He said he suspects that other Trojans based on the platform are operational, although so far this is based on circumstantial evidence.

That evidence includes other software drivers nearly identical to those used to deliver Stuxnet and Duqu — some of them developed at the same time and signed with the same digital certificates — as well as fragments of log files on command-and-control computers.

"I expect we are going to find more global operations this year," Schouwenberg said.

Unfortunately, the new findings bring researchers no closer to knowing for sure who the developers of the code are. Schouwenberg said the best clues to that still are offered by Stuxnet, which appears to have been targeted at a very specific piece of machinery used in the Iranian uranium enrichment program. Developing and testing that payload would have required access to a nearly identical set-up, Schouwenberg said.

"There are only a handful of countries in the world that have the facilities to replicate the enrichment facilities," he said.

Stuxnet was publicly revealed in July 2010 and probably was developed more than a year before that. Duqu was discovered in 2011 and appears to have been developed from the same source code, although its payload appears to be intended for information gathering. Its target is not known, although Schouwenberg speculated it could be used to gather intelligence about Iran's nuclear program.

Kaspersky researchers Alexander Gostev and Igor Soumenkov came upon additional driver files while investigating Duqu that suggest the development project dates back at least to 2007 and possibly includes other programs developed since 2008 whose purpose is not yet known.

An antivirus engine detected a file on a computer infected with Duqu and identified it as a Stuxnet variant, although the researchers found it was larger than the reference file used to identify Stuxnet and had a different name. It was signed with the same certificate, however.

"We came to the conclusion that there could be other driver files similar to the ‘reference' file, which are not among known variants of Stuxnet," the researchers wrote.

A search of archived examples of malware turned up another example of related code. The family tree they reconstructed led them to conclude that there were a number of projects in the Stuxnet development program using the same platform.

"The platform continues to develop, which can only mean one thing -- we're likely to see more modifications in the future," they wrote.

Schouwenberg added that partial log files from a Duqu command-and-control server that were examined suggested that the person setting up the server was not experienced.

"It's very strange when you think about it," he said. "To me, it shows that Duqu is one part of an ongoing project." If Duqu was a flagship operation, only senior persons would have been involved, he said.

Roger Thompson, chief emerging threats researcher at ICSA Labs, said the Kaspersky research is credible and the fact that so few examples of the code have been found in the wild is troubling.

"The most dangerous hack is the one you don't know about," he said. "They went to a lot of trouble to cover their tracks."

He said the emergence of the Stuxnet family is part of a trend that began about eight years ago, when some malicious code that was being discovered was kept hidden rather than shared in the industry in order to protect presumably high-profile government and corporate victims.

Thompson said that personal data being culled from increasing online activities is creating a pool of intelligence that will increasingly be used to deliver sophisticated and highly targeted malware.

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).